From 78cc973dc75aad0acc5c125e3a7c29c985d4f698 Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Tue, 27 Jan 2026 23:25:31 +0800
Subject: [PATCH] add deno-piv-mod.ts

---
 libraries/deno-piv-mod.ts | 44 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 libraries/deno-piv-mod.ts

diff --git a/libraries/deno-piv-mod.ts b/libraries/deno-piv-mod.ts
new file mode 100644
index 0000000..a7f3157
--- /dev/null
+++ b/libraries/deno-piv-mod.ts
@@ -0,0 +1,44 @@
+import {execCommand} from "https://global.hatter.ink/script/get/@18/deno-commons-mod.ts";
+import {encodeHex} from "jsr:@std/encoding/hex";
+
+// example output
+// > await signPiv("r1", await sha256AndHexMessage("hello world"))
+// {
+//   algorithm: "ecdsa_p256_with_sha256",
+//   hash_hex: "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
+//   signed_data_base64: "MEYCIQDfdAyrWLjjChbDwhZ0vapVthJDUfy1BUZsCGOWLCSnKwIhAOB5JQ2oxF3URwAIlOSftBi2kzscr6wcLn3rU6ygtVr1",
+//   signed_data_hex: "3046022100df740cab58b8e30a16c3c21674bdaa55b6124351fcb505466c0863962c24a72b022100e079250da8c45dd447000894e49fb418b6933b1cafac1c2e7deb53aca0b55af5",
+//   slot: "R1"
+// }
+interface CardPivEcSignOutput {
+    algorithm: string;
+    hash_hex: string;
+    signed_data_base64: string;
+    signed_data_hex: string;
+    slot: string;
+}
+
+export async function signPiv(
+    slot: string,
+    digestSha256Hex: string,
+): Promise<CardPivEcSignOutput> {
+    const processOutput = await execCommand("card-cli", [
+        "piv-ecsign",
+        "-s",
+        slot,
+        "-x",
+        digestSha256Hex,
+        "--json",
+    ]);
+    processOutput.assertSuccess();
+    return JSON.parse(processOutput.stdout) as CardPivEcSignOutput;
+}
+
+export async function sha256AndHexMessage(message: string): Promise<string> {
+    return encodeHex(
+        await crypto.subtle.digest(
+            "SHA-256",
+            new TextEncoder().encode(message),
+        ),
+    );
+}